CVE-2019-17372

Vulnerability

Certain NETGEAR devices, including AC1450, D8500, DC112A, JNDR3000, LG2200D, R4500, R6200, R6200V2, R6250, R6300, R6300v2, R6400, R6700, R6900P, R6900, R7000P, R7000, R7100LG, R7300, R7900, R8000, R8300, R8500, WGR614v10, WN2500RPv2, WNDR3400v2, WNDR3700v3, WNDR4000, WNDR4500, WNDR4500v2, WNR1000, WNR1000v3, WNR3500L, and WNR3500L, expose the CGI endpoint genieDisableLanChanged.cgi without proper authentication [1]. Accessing this endpoint disables all web authentication requirements on the device. Some models require a valid token, which can be obtained from other unauthenticated pages [1].

Exploitation

An attacker can send a GET or POST request to genieDisableLanChanged.cgi (with the correct token if needed) to disable authentication [1]. Once disabled, the attacker can visit MNU_accessPassword_recovered.html to retrieve a new valid admin password [1]. The PoC provided in the reference demonstrates the attack sequence and notes that the device's web service may crash if authentication is not restored within a few minutes [1].

Impact

Successful exploitation allows an attacker to gain full administrative access to the router's web interface. This compromises all functionality, including network configuration, firewall settings, and connected devices. The attacker can potentially exfiltrate data, change DNS settings, or use the device as a pivot point [1].

Mitigation

As of the publication date, NETGEAR has not released firmware fixes for many affected models [1]. Users should disable remote management and ensure the router's web interface is not exposed to the internet. For devices that are end-of-life, replacement is recommended. If a token is required, the PoC suggests mitigating by restricting access to the token pages. Check vendor advisories for updates.